PMASA-2010-10 [1] indicates that unauthenticated users were able to display phpinfo() output if phpMyAdmin was enabled to show it (which is not the default). The phpinfo.php script incorrectly defined the PMA_MINIMUM_COMMON constant, which is used to skip authentication. This has been corrected [2] in 3.4.0-beta1. [1] http://www.phpmyadmin.net/home_page/security/PMASA-2010-10.php [2] http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commitdiff;h=4d9fd005671b05c4d74615d5939ed45e4d019e4c
Created phpMyAdmin tracking bugs for this issue Affects: fedora-all [bug 662367]
May somebody please close this report? phpMyAdmin 3.3.10 is on all active Fedora and EPEL branches available that have PHP >= 5.2.
Robert, feel free to close Security Response product bugs for phpMyAdmin when you're done with them. I believe you should be able to do that. phpMyAdmin is currently in Fedora and EPEL and no other product that uses Red Hat bugzilla.
Tomas, my main problem is that Bugzilla doesn't let me do such actions...sorry.
Robert: You need to make sure your bugzilla email matches up with your fas email in order to have the correct privs. In this case it doesn't, so your current bugzilla account doesn't get the privs. If you change your bugzilla email and/or fas account email to match you should be all set. ;)